External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-10-06 06:15:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
a3f3ab4c9c
libvirt/tests
History
Stefan Berger a3f3ab4c9c nwfilter: Add support for ipset 
This patch adds support for the recent ipset iptables extension
to libvirt's nwfilter subsystem. Ipset allows to maintain 'sets'
of IP addresses, ports and other packet parameters and allows for
faster lookup (in the order of O(1) vs. O(n)) and rule evaluation
to achieve higher throughput than what can be achieved with
individual iptables rules.

On the command line iptables supports ipset using

iptables ... -m set --match-set <ipset name> <flags> -j ...

where 'ipset name' is the name of a previously created ipset and
flags is a comma-separated list of up to 6 flags. Flags use 'src' and 'dst'
for selecting IP addresses, ports etc. from the source or
destination part of a packet. So a concrete example may look like this:

iptables -A INPUT -m set --match-set test src,src -j ACCEPT

Since ipset management is quite complex, the idea was to leave ipset 
management outside of libvirt but still allow users to reference an ipset.
The user would have to make sure the ipset is available once the VM is
started so that the iptables rule(s) referencing the ipset can be created.

Using XML to describe an ipset in an nwfilter rule would then look as
follows:

  <rule action='accept' direction='in'>
    <all ipset='test' ipsetflags='src,src'/>
  </rule>

The two parameters on the command line are also the two distinct XML attributes
'ipset' and 'ipsetflags'.

FYI: Here is the man page for ipset:

https://ipset.netfilter.org/ipset.man.html

Regards,
    Stefan
2012-05-21 06:26:34 -04:00
..
capabilityschemadata microblaze: Add architecture support 2011-07-07 17:49:21 -06:00
commanddata command: handle empty buffer argument correctly 2011-12-03 15:55:46 -07:00
confdata Change the default of mdns_adv to false 2012-03-27 09:54:49 -06:00
cputestdata Removed more AMD-specific features from cpu64-rhel* models 2012-03-09 14:36:31 +01:00
domainschemadata openvz: read vmguarpages/privvmpages to set memory tunables 2012-05-04 09:09:07 +02:00
domainsnapshotxml2xmlin snapshot: also support disks by path 2011-09-05 07:03:04 -06:00
domainsnapshotxml2xmlout qemu: Support numad 2012-03-15 12:24:56 +08:00
interfaceschemadata Update interface.rng and xml test files to match netcf 0.1.5 2010-01-19 21:13:03 +01:00
lxcxml2xmldata numad: Always output 'placement' of <vcpu> 2012-05-08 16:57:37 -06:00
networkxml2argvdata tests: dynamically replace dnsmasq path 2012-02-01 17:02:45 -07:00
networkxml2xmlin Adding the element pf to network xml. 2012-01-11 13:10:21 -07:00
networkxml2xmlout Adding the element pf to network xml. 2012-01-11 13:10:21 -07:00
nodedevschemadata nodedev: Add removable storage 'media_label' prop 2009-12-14 14:58:23 +01:00
nodeinfodata nodeinfo: test more details 2012-05-16 10:23:06 -06:00
nwfilterxml2xmlin nwfilter: Add support for ipset 2012-05-21 06:26:34 -04:00
nwfilterxml2xmlout nwfilter: Add support for ipset 2012-05-21 06:26:34 -04:00
qemuhelpdata qemu: Add support for -no-user-config 2012-05-15 20:29:12 +02:00
qemuxml2argvdata tests: add ich6 codec type test to qemuxml2argv-sound-device 2012-05-17 11:43:35 -06:00
qemuxml2xmloutdata Fix logic for assigning PCI addresses to USB2 companion controllers 2012-05-15 17:07:34 +01:00
qemuxmlnsdata xml: output memory unit for clarity 2012-03-07 18:24:43 -07:00
sexpr2xmldata numad: Always output 'placement' of <vcpu> 2012-05-08 16:57:37 -06:00
storagepoolxml2xmlin storage: add support for Vendor and Model in XML 2010-08-19 15:58:43 -06:00
storagepoolxml2xmlout xml: output memory unit for clarity 2012-03-07 18:24:43 -07:00
storagevolxml2xmlin storage: support more scaling suffixes 2012-03-07 18:24:43 -07:00
storagevolxml2xmlout xml: output memory unit for clarity 2012-03-07 18:24:43 -07:00
vmx2xmldata numad: Always output 'placement' of <vcpu> 2012-05-08 16:57:37 -06:00
xencapsdata Add suspend info to Xen, LXC and UML hypervisor capabilities 2011-11-30 10:12:30 +00:00
xmconfigdata numad: Always output 'placement' of <vcpu> 2012-05-08 16:57:37 -06:00
xml2sexprdata Xen: Fix <clock> handling 2012-04-02 09:33:54 -06:00
xml2vmxdata xml: output memory unit for clarity 2012-03-07 18:24:43 -07:00
.valgrind.supp tests: suppress more valgrind situations 2011-05-03 08:03:39 -06:00
capabilityschematest Make test suite output less verbose 2010-01-15 16:28:05 +00:00
commandhelper.c Disable build of commandhelper & ssh on Win32 2012-03-30 11:47:14 +01:00
commandtest.c More coverity findings addressed 2012-04-27 17:25:35 -04:00
conftest.c tests: Lower stack usage below 4096 bytes 2011-04-30 19:59:52 +02:00
cpuset numad: Always output 'placement' of <vcpu> 2012-05-08 16:57:37 -06:00
cputest.c cpu: Improve error reporting on incompatible CPUs 2012-04-23 10:59:51 +02:00
define-dev-segfault numad: Always output 'placement' of <vcpu> 2012-05-08 16:57:37 -06:00
domainschematest Add LXC XML files to schema test & fix problems this uncovers 2012-03-27 15:52:25 +01:00
domainsnapshotschematest Domain snapshot RNG and tests. 2010-05-20 13:50:03 -04:00
domainsnapshotxml2xmltest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
esxutilstest.c build: properly skip tests 2011-12-01 13:49:20 -07:00
eventtest.c tests: simplify common setup 2011-04-29 10:21:20 -06:00
int-overflow tests: Don't use bash if we don't have to 2011-07-29 17:17:21 +02:00
interfaceschematest Make test suite output less verbose 2010-01-15 16:28:05 +00:00
interfacexml2xmltest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
jsontest.c Add test case for parsing JSON docs 2011-06-30 18:04:02 +01:00
libvirtd-fail Fix up "make check" 2009-10-07 12:18:13 +02:00
libvirtd-pool Fix up "make check" 2009-10-07 12:18:13 +02:00
libvirtdconftest.c Replace daemon-conf test script with a proper test case 2012-04-10 11:13:44 +01:00
lxcxml2xmltest.c build: silence recent syntax check violations 2012-03-29 21:23:59 -06:00
Makefile.am build: avoid link failure on Windows 2012-05-07 16:11:28 -06:00
networkschematest Make test suite output less verbose 2010-01-15 16:28:05 +00:00
networkxml2argvtest.c test: fix segfault in networkxml2argvtest 2012-04-05 07:04:43 -04:00
networkxml2xmltest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
nodedevschematest Make test suite output less verbose 2010-01-15 16:28:05 +00:00
nodedevxml2xmltest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
nodeinfotest.c nodeinfo: test more details 2012-05-16 10:23:06 -06:00
nwfilterschematest nwfilter: Add filter schema for nwfilter XML, extend domain XML schema 2010-04-06 11:09:46 -04:00
nwfilterxml2xmltest.c nwfilter: Add support for ipset 2012-05-21 06:26:34 -04:00
object-locking.ml maint: typo fixes 2011-06-24 08:01:10 -06:00
oomtrace.pl maint: mark more perl scripts executable 2011-05-16 10:12:21 -06:00
openvzutilstest.c numad: Always output 'placement' of <vcpu> 2012-05-08 16:57:37 -06:00
openvzutilstest.conf openvz: Add simple test for openvzReadNetworkConf 2011-06-01 11:58:15 +02:00
pkix_asn1_tab.c Add a test case for certificate validation 2011-07-22 15:18:32 +01:00
qemuargv2xmltest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
qemuhelptest.c qemu: test CAPS_HDA_MICRO 2012-05-17 11:12:40 -06:00
qemumonitortest.c qemu: unescape HMP commands before converting them to json 2012-02-27 16:06:02 -07:00
qemuxml2argvtest.c tests: add ich6 codec type test to qemuxml2argv-sound-device 2012-05-17 11:43:35 -06:00
qemuxml2xmltest.c tests: add ich6 codec type test to qemuxml2argv-sound-device 2012-05-17 11:43:35 -06:00
qemuxmlnstest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
read-bufsiz tests: Update read-bufsiz to delete the UUID of vm XML 2012-04-17 22:56:18 +08:00
read-non-seekable tests: use GPLv2+, not GPLv3 2010-05-12 08:41:10 +02:00
reconnect.c tests: avoid xend ABRT crash report 2011-11-18 15:00:18 -07:00
schematestutils.sh tests: fix schema checks sorting 2011-12-22 13:01:09 -07:00
seclabeltest.c Pass the virt driver name into security drivers 2012-05-16 10:05:46 +01:00
sexpr2xmltest.c Consistent style for usage of sizeof operator 2012-03-30 11:47:24 +01:00
shunloadhelper.c Prevent crash from dlclose() of libvirt.so 2011-09-16 15:51:31 -06:00
shunloadtest.c build: properly skip tests 2011-12-01 13:49:20 -07:00
sockettest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
ssh.c Disable build of commandhelper & ssh on Win32 2012-03-30 11:47:14 +01:00
start tests: use GPLv2+, not GPLv3 2010-05-12 08:41:10 +02:00
statstest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
storagepoolschematest Make test suite output less verbose 2010-01-15 16:28:05 +00:00
storagepoolxml2xmltest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
storagevolschematest Make test suite output less verbose 2010-01-15 16:28:05 +00:00
storagevolxml2xmltest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
test_conf.sh Make test suite output less verbose 2010-01-15 16:28:05 +00:00
test-lib.sh tests: simplify formatting 2011-07-11 09:21:37 -06:00
testutils.c Allow stack traces to be included with log messages 2012-05-15 17:01:40 +01:00
testutils.h Fix format specifiers in test cases on Win32 2012-04-04 14:33:27 +01:00
testutilslxc.c Add support for setting init argv for LXC 2012-03-27 15:52:25 +01:00
testutilslxc.h Add support for setting init argv for LXC 2012-03-27 15:52:25 +01:00
testutilsqemu.c tests: avoid compiler warnings 2012-04-05 22:07:41 -06:00
testutilsqemu.h remove all trailing blank lines 2009-07-16 15:06:42 +02:00
testutilsxen.c Fix default console type setting 2011-11-03 12:01:48 +00:00
testutilsxen.h remove all trailing blank lines 2009-07-16 15:06:42 +02:00
undefine virsh: properly interleave shared stdout and stderr 2011-08-19 09:22:22 -06:00
utiltest.c build: avoid 'make syntax-check' failure 2011-07-01 16:46:20 -06:00
vcpupin tests: use GPLv2+, not GPLv3 2010-05-12 08:41:10 +02:00
virauthconfigtest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
virbuftest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
virhashdata.h Rename hash.h and hash.c to virhash.h and virhash.c 2012-01-26 14:11:13 +00:00
virhashtest.c Fix format specifiers in test cases on Win32 2012-04-04 14:33:27 +01:00
virkeyfiletest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
virnetmessagetest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
virnetsockettest.c Consistent style for usage of sizeof operator 2012-03-30 11:47:24 +01:00
virnettlscontexttest.c test: fix build errors with gcc 4.7.0 and -O0 2012-04-05 22:07:41 -06:00
virsh-all tests: use GPLv2+, not GPLv3 2010-05-12 08:41:10 +02:00
virsh-optparse build: update to latest gnulib 2011-12-01 14:12:59 -07:00
virsh-schedinfo build: update to latest gnulib 2011-12-01 14:12:59 -07:00
virsh-synopsis tests: use GPLv2+, not GPLv3 2010-05-12 08:41:10 +02:00
virshtest.c virsh: output scaled values with correct units 2012-05-01 14:58:14 -06:00
virt-aa-helper-test fix AppArmor driver for pipe character devices 2011-09-28 15:43:39 +08:00
virtimetest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
viruritest.c tests: avoid compiler warnings 2012-04-05 22:07:41 -06:00
vmx2xmltest.c vmx: Better Workstation vmx handling 2012-02-24 11:53:23 +01:00
xencapstest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
xmconfigtest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
xml2sexprtest.c Cleanup for a return statement in source files 2012-03-26 14:45:22 -06:00
xml2vmxtest.c vmx: Better Workstation vmx handling 2012-02-24 11:53:23 +01:00